In October 2012 our shortened URL (www.thewillandthewallet.org) expired and was purchased by spammers before we were able to reclaim it. Part of their misuse includes redirecting this URL to an imposter site that has advertisements posted in the comment boxes. Stimson is working to take down that site and reclaim the domain name. In the interim, please update your bookmarks accordingly to www.thewillandthewallet.squarespace.com. Thank you all for your patience as we work through this issue.

“Modest reforms to pay and compensation will improve readiness and modernization. It will help keep our all-volunteer force sustainable and strong. Keeping faith also means investing sufficient resources so that we can uphold our sacred obligations to defend the nation and to send our sons and daughters to war with only the best training, leadership and equipment. We can’t shrink from our obligations to one another. The stakes are too high.”

Deputy Defense Secretary Bill Lynn, the Department’s front man on cyber-security, rolled out the new strategy in an address at NDU last week. As with every threat scenario, gauging and managing risk is key.

Lynn started with some helpful perspective. “Disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud,” he noted. “The vast majority of malicious cyber activity today does not cross this threshold.”

Things still look ominous to Lynn, though. He warned later in the speech:

"We stand at an important juncture in the development of the cyber threat. More destructive tools are being developed, but have not yet been widely used. And the most malicious actors have not yet obtained the most harmful capabilities. But this situation will not hold forever. There will eventually be a marriage of capability and intent…"

The Will and the Wallet (quite regrettably) has no independent intelligence service to assess this risk. Permit us a more general observation, though. In the traditional military domains – air, land, sea – actors’ of sophisticated capability also have sophisticated intent, and vice versa. Al Qaeda has not yet detonated a dirty bomb, for instance, or even mastered surface-to-air missiles. On the other hand, actors – let’s call them “states” – capable of building a nuclear program or fighting a conventional war understand the devastating consequences of either and are deterred.

Why wouldn’t this same pattern hold in cyberspace? Why should we plan or budget for the most destructive capabilities falling into the hands of those with the most malicious intents?

None of this is to say cybersecurity isn’t important, of course. To the contrary, Gordon Adams and I recommended cybersecurity as a top priority mission for the military in our Foreign Affairs article, and the Rivlin-Domenici Debt Reduction Panel did likewise. Still, exaggerating the risk creates a bottomless demand for resources that makes prioritizing harder.